【作者】 李建平；

【导师】 王慧强；

【作者基本信息】 哈尔滨工程大学 ， 计算机应用技术， 2010， 博士

【摘要】 随着网络技术的不断发展和应用范围的不断扩大,网络已成为社会进步的重要推动力量。然而,不断恶化的网络环境使得网络技术所面临的安全问题日益突出,传统的单点单源安全防御系统(如IDS、Firewall、VDS等)虽然在一定程度上提高了网络的安全性,但由于彼此间缺乏有效的协作,无法真正实现全网的整体安全态势监控。网络安全态势感知(Network Security Situational Awareness,NSSA)正是在此需求背景下应运而生的,并迅速成为了网络安全领域的研究热点问题。所谓网络安全态势感知是指在大规模网络环境中,对能够引起网络安全态势发生变化的安全要素进行提取、理解、显示并预测未来发展趋势。目前,课题组对于网络安全态势感知的研究开展了大量工作,取得了大量的研究成果,但是对于系统中异构数据源的研究还不成熟,需要解决面向异构数据源的网络安全态势感知系统的框架模型、数据预处理、量化感知、动态预测等关键技术问题。基于此,本文提出面向异构数据源的网络安全态势感知的研究,并对相关核心技术问题进行了深入探讨。首先,针对现有框架模型存在数据源单一或多源同质、响应延迟大、自我保护性差、稳定性和容错能力差等缺点,借助移动Agent的优点,提出一种面向异构数据源的网络安全态势感知系统框架模型,该框架结构自下而上依次分为信息获取层、数据预处理层、态势决策层,构建了一条从信息获取到量化感知再到态势预测的研究路线,并对每个层次所涉及模块进行了详细设计,建立了一个系统化、动态化、分布式、自适应的网络安全态势框架结构,利用PEPA形式化建模语言对框架模型进行分析,验证了框架模型的合理性,为后续研究内容的开展奠定基础。其次,在框架模型的基础上,为了融合来自异构数据源的网络安全信息,提出一种“三段式”数据预处理方法,包括:基于无向图模型(Undirected Graphs Model,UGM)的数据分类、基于DS (Dempter-Shafer)证据理论的信息融合和证据冲突数据的分类修正。实验结果表明,该方法在数据分类中具有较高的检测精确率和检测速度,不仅能保证分类的精确度,去除不确定性噪声数据带来的不利影响,有效的避免DS信息融合中证据冲突,而且能提高数据分类精度,为下一步的网络安全态势量化感知和预测提供数据支持。再次,研究基于条件随机场的网络安全态势量化感知方法,该方法以态势分类报警信息作为网络安全态势量化感知的要素,结合主机的漏洞和状态,定义网络安全威胁度体现网络风险,并采用网络安全威胁度算法对攻击进行分类,最后生成明确的网络安全态势图,动态地完成整个网络安全状况的量化感知。实验结果表明,所采用的算法检测精度高,能有效地结合漏洞、资产、环境等各因素评估一个报警信息所表示的网络安全威胁程度,准确地对网络攻击进行分类,结果客观真实,能正确地为安全管理人员呈现安全态势,为下一步的网络安全态势预测提供条件。最后,为了更加准确地对网络安全态势进行预测,针对网络安全态势的非线性时间序列特点研究基于Volterra模型的自适应预测方法。该方法根据Takens定理和相空间重构理论建立Volterra模型,实现网络安全态势的动态自适应预测。实验结果表明,该方法选取正确的混沌吸引子邻近轨道,适当的控制训练集的规模,具有较快的收敛速度和较强的逼近能力,能达到较高的预测精度,有效的预测网络安全态势,辅助安全分析人员和管理人员及时调整安全策略。更多还原

【Abstract】 With the rapid development of network technology and its application, network has become an indispensable part for the society development. However, the continued deterioration of the network environment brings about severe security problems in networks. The traditional single-point single-source security defense systems such as IDS, Firewall and VDS, can only enhance security performance of network system to a certain degree.However,due to the lack of effective collaboration, the whole network security situation can not be monitored effectively. Under these circumstances, study of network security situation awareness (NSSA) is put forward as a key topic of network security research.Network security situation awareness means that the system can extract, understand, display the security elements and then predict the security situation in the future. Though there are a lot of research methods on situation awareness, NSSA is still in its infancy stage. There exist many technical problems such as heterogeneous data source-oriented architecture, situation element preprocessing, situation quantitative awareness, situation dynamic prediction. Combining with specific requirements of the project, an overall solution for heterogeneous data source-oriented network security situation awareness system (NSSAS) is proposed, and the core technologies are deeply studied in this dissertation.Firstly, considering the drawbacks of existed architecture such as single data source or multi-source with homogeneous data, long response delay, weak self-protection and lack of fault tolerance, a heterogeneous data source-oriented network security situation awareness system architecture based on mobile agents is studied. This architecture can be divided into information access layer, data preprocessing layer and situation decision layer which build a research way from information access to quantitative awareness and then to situation prediction. Every module in these three layers has been designed carefully and a systematic, dynamic, distributed and self-adapted NSSA architecture is built as last. The architecture is analyzed based on the formal modeling language PEPA. And then the rationality of this model is validated for the following research.Secondly, based on NSSA architecture, a three-step data preprocessing method is proposed for the heterogeneous data source network security information fusion. This method includes data classification based on the Undirected Graphs Model (UGM), information fusion based on Dempter-Shafer (DS) evidence theory and classification amendment for the conflict data. The experiment results show that the method have a high detection accuracy and fast speed which can guarantee the classification accuracy and eliminate the bad influence with the uncertain noise data. Our method can avoid the evidence conflict in the DS information fusion and enhance the ability of data classification for the next NSSA quantitative awareness and prediction.Thirdly, a network security situation quantitative awareness method is proposed. Combined with host vulnerability and states, our method extract the situation classification alarm information as the element of network security situation quantitative awareness and define the network security threat degree to demonstrate the network risk. To classify the different attacks, the network risk degree algorithm is applied and the network situation chart is generated for the whole network security state quantitative awareness. Experiment results show that our algorithm can evaluate network security threat degree from an alarm record effectively. The classification results on network attacks are truthful and objective which can reveal the security situation for the next network security situation prediction.Finally, to address the nonlinearity time series of network security situation a self-adapted prediction method based on Volterra model is proposed. In order to achieve dynamic self-adapted prediction of the network security situation, our method builds the Volterra self-adaptation model according to the Takens theory and Phase-Space Reconstruction theory. The experiment results show that when selecting the correct chaotic attractor neighboring track and controlling the scale of train set properly, our method have the ability of fast convergence speed and strong approximation. With high prediction accuracy, our self-adapted prediction can help the administrators to adjust the security policy.更多还原